Troubleshooting issues with the Dirty Line on Malware Analysis appliances

book

Article ID: 169020

calendar_today

Updated On:

Products

Malware Analysis Software - MA

Issue/Introduction

  • Noticed that the IVM uses the back end interface settings instead of dirty line for task processing
  • Running URL task processing for 'whaismyip.com' shows error in reaching to destination server
  • Have configured the dirty line but need to know if it is using the dirty line for task processing

Resolution

  1. Make sure the Firewall configuration settings is set to Limited to both Active and URL submissions.
  2. Use eth1 for the interface name of dirty line interface and make sure to not change this setting to another interface.
  3. Confirm that there are no IVM profile that is being customized. If so, rebuild the profile.
  4. Make sure the default browser inside the IVM profile used for URL testing is not using proxy setting (proxy IP is in the same subnet with the back end IP).
  5. Ensure that the external Firewall/router is not blocking the dirty interface from reaching out to Internet.

Note that when configuring via System Settings / Network / Internet Settings, the dirty line will only be used when executing samples or URLs and the Firewall selected for the task is not the isolated firewall. It is very helpful to know your external IP address for both the dirty line and back end internet connections when running these tests.

Testing:

For testing you should use a web page URL that will show you your external IP address.  This will both confirm connectivity and show you that the right internet connection is being used. To give you fast results without waiting time, do not send files to MAA via Security Analytics or the Content Analysis System or other automated methods.

This example uses http://checkip.dyndns.org for URL task processing:

  1. Monitoring the dirty line connection
Connect to the MA Appliance via SSH using the g2 user.
Run these commands:
$sudo -s
$tcpdump -vv -i -eth1 | grep -i "dyndns.org"
Leave the ssh terminal open.
  1. Create the new URL task
i. Be sure to select the pre-configured "limited" firewall on the "basic" tab.
ii. Watch the tcpdump output in the ssh terminal. It should look like this:

[email protected]:~# tcpdump -vv -i eth1 | grep -i "dyndns.org"
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
    192.168.1.100.56478 > google-public-dns-a.google.com.domain: [udp sum ok] 42001+ A? checkip.dyndns.org. (36)
    google-public-dns-a.google.com.domain > 192.168.1.100.56478: [udp sum ok] 42001 q: A? checkip.dyndns.org. 4/0/0 checkip.dyndns.org. CNAME checkip.dyndns.com., checkip.dyndns.com. A 91.198.22.70, checkip.dyndns.com. A 216.146.43.70, checkip.dyndns.com. A 216.146.38.70 (116)
 
iii. When the task is complete, abort tcpdump using CTRL+C.
iv.. Check the task report. It should contain a screenshot with the external IP address.
v. If not getting the expected output, recheck the points provided in this solutions.
 
  1. Support information:
Please provide the support package from https://<MAA IP>/support